New security solutions and ideas are needed to overcome the security challenges inherent in the software supply chain, according to a panel of vendors speaking on day three of the RSA 2023 conference.
Omer Yaron, head of research at Enso Security, said supply chain attacks are still a relatively new area and “it wasn’t the incident response of a few years ago.”
Responding to software supply chain incidents is very different from other types of cyberattacks. First, these attacks tend to affect many organizations at the same time, making it much more difficult to quickly enlist outside assistance to mitigate these incidents.
Additionally, there are many different types of supply chain attacks, and exploiting vulnerabilities like Log4j, for example, requires a different approach than dealing with malicious packages.
The increased use of open source code is a particular security concern, said Idan Wiener, CEO and co-founder of illustria, “It’s never been a safe place.”
He added: “When you use open source, you have to think again.”
Karine Ben-Simhon, VP Customer Advocacy ARC at Trellix, agreed, arguing that “we are not doing enough as a community.”
Read more: Computer Science Courses Must Teach Cybersecurity to Meet US Government Goals
New mitigation measures
Ben-Simhon urged the cyber community to raise awareness of software security issues among developers, pointing to Israeli researcher forums for exactly that purpose.
She explained that even though the researchers all come from competitors within the industry, they share insights on vulnerabilities and threats. This led to the creation of a GitHub tool that “allows developers to check if a package is malicious”.
Yaron also encouraged more internal collaboration between security teams and developers. In particular, he called on workers to challenge the R&D department for what they were doing. “Understand the R&D questions,” he advised.
Additionally, the panel also discussed whether AI tools, including ChatGPT, can help reduce risks in the software supply chain. Wiener acknowledged that ChatGPT can classify malicious code. But when his team manipulated the code to change its behavior and fool the AI chatbot, he failed to recognize the malicious package. ChatGPT and AI in general “not yet”.
Yaron agreed, but noted that AI tools could help security teams in this area by “creating a lot of processes that can be done faster than they are today.”
Growing regulation
According to Nir Peleg, BizDev VP at Scribe Security, a company that works with the Department of Homeland Security (DHS) in this area, US government involvement in software supply chain security is increasing and impacting is starting to appear. .
He pointed out that President Biden’s Executive Order 14028, issued in May 2021, requires federal software suppliers to create a software bill of materials (SBOM). This is currently enforced.
These rules have since been set for the broader economy in NIST’s Software Supply Chain Security Guidance, and “organizations are starting to adapt,” said Peleg.
Additionally, he observed that the US National Cyber Strategy shifts responsibility for software security to developers and producers as part of Security by Design Objectives.
While this is a positive step, Ben-Simhon noted that most of the regulations in this area are focused on developers and few on consumers, and he wants change. .
